Universal Plug And Play Flaw Impacts Millions of Devices

A protocol standard designed to make it easy to integrate routers, printers, IP cameras and millions of other network-enabled devices contains a number of weaknesses that can expose networks to attack.

The United States Computer Emergency Readiness Team (US-CERT) is warning about weaknesses in the Universal Plug and Play protocol, following a research paper issued by Rapid7 that identified protocol vulnerabilities and configuration errors. Rapid7 found that of 81 million UPnP-enabled devices exposed to the Internet, about 20 percent -- or more than 16 million devices -- allow an attacker to target systems behind the firewall.

HD Moore, the creator of the Metasploit penetration tool and chief security officer of Rapid7, found the errors during a laborious project that included nearly six months of actively scanning the Internet.

"Authentication is rarely implemented by device manufacturers, privileged capabilities are often exposed to untrusted networks, and common programming flaws plague common UPnP software implementations," Moore wrote in a paper outlining the UPnP problems. "These issues are endemic across UPnP-enabled applications and network devices."

The issue impacts more than 1,500 vendors and 6,900 products, according to the report. UPnP support is enabled by default on Windows, Mac and many distributions of Linux. Up to 30 UPnP-enabled device makers, including Cisco Systems, Fujitsu, Huawei, Motorola and Sony, have issued updates this week to repair the errors.

Organizations should replace systems that do not provide the ability to disable this protocol, Moore said in the report. Consumers should also take action, ensuring that the UPnP function is disabled on home routers and mobile broadband devices. "Unfortunately, the realities of the consumer electronics industry will leave most systems vulnerable for the indefinite future," he said.

Numerous vulnerabilities in the UPnP protocol have been discovered by security researchers over the past decade and have been the subject of presentations at Defcon and Black Hat hacker conferences.